Prisma Cloud IAC Scan Policy Operators

The list of operators that you can use as match criteria within the JSON query in a custom policy for a Configuration policy of build subtype.
For Prisma Cloud DevOps Security, you can create configuration policies to scan your Infrastructure as Code (IaC) templates that are used to deploy cloud resources. The policies used for scanning IaC templates use a JSON query instead of RQL. The following list of operators are available for use in a JSON query, when you Add a JSON Query for Build Policy Subtype and specify the properties or objects for which you want to apply policy checks.
Operator
Usage Examples
'greater than' | ' > '
$.spec.template.spec.containers[*].securityContext.runAsUser greater than 1
'less than' | ' < '
$.spec.template.spec.containers[*].securityContext.runAsUser less than 9999
' equals ' | '=='
$.resource[*].aws_iam_account_password_policy[*].*[*].password_reuse_prevention equals 0
'does not equal'
$.resource[*].aws_vpc_peering_connection[*].*[*].peer_vpc_id does not equal $.resource[*]. aws_vpc_peering_connection[*].*[*].vpc_id
'starts with' | 'startsWith'
$.resource[*].aws_eks_cluster[*].*[*].version starts with 1.9.
'does not start with' | '!startsWith'
$.resource[*].aws_eks_cluster[*].*[*].version does not start with 1.9.
'ends with' | 'endsWith'
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member does not end with ".gserviceaccount.com"
'does not end with' | ' !endsWith'
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].member does not end with ".gserviceaccount.com"
'contains'
$.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId contains alias/aws/sqs
'includes one'
'does not contain' | '!contains'
$.Resources.*[?(@.Type == 'AWS::SQS::Queue')].Properties.KmsMasterKeyId does not contain alias/aws/sqs
'is empty' | 'isEmpty'
$.resource.*.google_container_cluster.*.*.*.master_auth.*.password is empty
'is not empty' | ' !isEmpty'
$.resource.*.google_container_cluster.*.*.*.master_auth.*.password is not empty
'any empty' | 'anyEmpty'
$.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId none empty
'none empty' | 'noneEmpty'
$.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId none empty
'all empty' | 'allEmpty'
$.Resources.*[?( @.Type == 'AWS::CloudTrail::Trail' )].Properties.KMSKeyId all empty
'any null' | 'anyNull'
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.LoggingConfiguration any null
'exists'
$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions exists
'does not exist' | '!exists'
$.Resources.*[?(@.Type == 'AWS::Elasticsearch::Domain')].Properties.VPCOptions does not exist
'any start with' | 'anyStartWith'
$.resource[*].aws_eks_cluster[*].*[*].version any start with 1.9.
'none start with' | 'noneStartWith'
$.resource[*].aws_eks_cluster[*].*[*].version none start with 1.9.
'all start with' | 'allStartWith'
$.resource[*].google_container_node_pool.*[*].*.node_config[*].image_type all start with cos
'any end with' | 'anyEndWith'
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members any end with ".gserviceaccount.com"
'none end with' | 'noneEndWith'
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members none end with ".gserviceaccount.com"
'all end with' | 'allEndWith'
$.data[*].google_iam_policy[*].*[*].binding[?( @.role=='roles/editor' || @.role=='roles/owner' )].members all end with ".gserviceaccount.com"
'any equal' | 'anyEqual'
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl any equal PublicReadWrite
'none equal' | 'noneEqual'
$.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties.AccessControl none equal PublicReadWrite
'all equal' | 'allEqual'
$.resource.*.azurerm_storage_account[*].*[*].network_rules[*].bypass all equal "AzureServices"
' size equals ' | ' size == '
$.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy size equals 0
' size does not equal ' | ' size != '
$.resource.*.azurerm_monitor_log_profile[*].*[*].retention_policy size does not equal 0
' size greater than ' | ' size > '
$.Resources.*[?(@.Type == 'AWS::EC2::SecurityGroup')].Properties. SecurityGroupIngress[?(@.IpProtocol == 'tcp' && @.FromPort == '22' && @.ToPort == '22' && @.CidrIp == '0.0.0.0/0')] size greater than 0
' size less than ' | ' size < '
$.resource.*.azurerm_monitor_log_ profile[*].*[*].retention_policy size less than 10
'length equals' | 'length =='
'length does not equal' | 'length !='
'length greater than' | 'length >'
'length less than' | 'length <'
'any true' | 'anyTrue'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled any true
'none true' | 'noneTrue'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled none true
' all true' | ' allTrue'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled all true
'any false' | 'anyFalse'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled any false
none false' | 'noneFalse'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled none false
' all false' | ' allFalse'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled all false
'is true' | 'isTrue'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled is true
'is false' | 'isFalse'
$.resource[*].aws_db_event_subscription[*].*[?(@.source_type=='db-security-group')].enabled is false
'is type' | 'isType'
'is not type' | '!isType'
'is member of' | 'isMemberOf'
$spec.containers[*].securityContext.capabilities.add[*] is member of (FSETID, SETUID, SETGID,SYS)
'is not member of' | '!isMemberOf'
$spec.containers[*].securityContext.capabilities.add[*] is not member of (FSETID, SETUID, SETGID,SYS)
IDENTIFIER '[]'
| IDENTIFIER '[*]'
| IDENTIFIER '[' INT ']'
| IDENTIFIER '[?(' query_expr ')]'
| '[*]'
$resource[*].google_compute_subnetwork[*] $.Resources.*[?(@.Type=='AWS::S3::Bucket')].Properties
query_expr ('&&' query_expr)+
| query_expr ('||' query_expr)+
| '@.' IDENTIFIER
| '@.' IDENTIFIER '>' INT
| '@.' IDENTIFIER '<' INT
| '@.length-' INT
| '@.' IDENTIFIER '==' ('true' | 'false')
| '@.' IDENTIFIER '!=' ('true' | 'false')
| '@.' IDENTIFIER '==' INT
| '@.' IDENTIFIER '==' RS_STRING
| '@.' IDENTIFIER '!=' INT
| '@.' IDENTIFIER '!=' RS_STRING
| '@.' IDENTIFIER '==' SNGL_QUOTE (NUMERIC_VALUE | INT) SNGL_QUOTE
| '@.' IDENTIFIER '!=' SNGL_QUOTE (NUMERIC_VALUE | INT) SNGL_QUOTE
| '@.' IDENTIFIER '==' WILDCARD
$.resource[*].aws_network_acl.*[*].*.egress[?(@.protocol == 'tcp' && @.from_port == '22' && @.to_port == '22')].action==allow

Recommended For You